-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Multiple Vulnerabilities in Opera
http://www.cert-in.org.in/advisory/ciad-2009-40.htm
Original Issue Date: September 07, 2009
Severity Rating:Medium
System Affected
Opera versions 9.x
Overview
Multiple vulnerabilities have been reported in Opera, which could be
exploited to bypass security restrictions and conduct spoofing attacks.
Description
1. Intermediate Certificate Spoofing Vulnerability
(CVE-2009-3046)
This vulnerability exists because Opera fails to check the revocation
status for intermediate certificates not served by the server. This may
cause sites using revoked intermediate certificates to be shown as secure.
2. URL Spoofing Vulnerability (CVE-2009-3047)
This vulnerability is caused by improper updation of domain name within the
collapsed address bar, which could cause the previous domain to be shown
instead of the domain of the present site.
This could be exploited by remote attackers to spoof URLs.
3. Limited Address Spoofing Vulnerability (CVE-2009-3049)
This vulnerability is due to certain Unicode characters are treated
incorrectly, which might cause International Domain Names (IDN) that use
them to be shown in the wrong format. Attackers could exploit this
vulnerability to perform limited address spoofing.
4. Security Bypass Vulnerability (CVE-2009-3044)
This vulnerability exists because the browser fails to properly validate
the domain name in a signed CA certificate. A remote attacker could exploit
this vulnerability by using a certificate which use a wild card immediately
before the top level domain, or nulls in the domain name, to be incorrectly
interpreted as secure.
Solution
Upgrade to Opera 10 or later
http://www.opera.com/download/
Vendor Information
Opera
http://www.opera.com/download/
References
Opera
http://www.opera.com/support/kb/view/929/
http://www.opera.com/support/kb/view/930/
http://www.opera.com/support/kb/view/932/
http://www.opera.com/support/kb/view/934/
http://www.opera.com/docs/changelogs/windows/1000/
ISS XFORCE
http://xforce.iss.net/xforce/xfdb/52965
VUPEN Security
http://www.vupen.com/english/advisories/2009/2500
SecurityFocus
http://www.securityfocus.com/bid/36202/
Secunia
http://secunia.com/advisories/36414/
SecurityTracker
http://www.securitytracker.com/alerts/2009/Sep/1022799.html
Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln36202.html
CVE Name
CVE-2009-3044
CVE-2009-3046
CVE-2009-3047
CVE-2009-3049
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSqofVnWXeYNsoT30AQoojwf9Ffgmld9q9ikLEzgZBXZAT1eJLrDEhLtB
mm3hD7OMRCXDKPohCPXNlS/u2rQNXGWpDtBJAhjHFJWgzddDlVIQVIfMBMWG+NHQ
V6auv2VURbbU5pFLKYz3RBXOHqFgktSGrgr0QyCX94w3c/CbxbkQH5vrfAxtz8ZR
XdznZYrlEw6EGEnmr/19/1TCTcu/Pq/xoUM4aiZRPsQM7yHnoRxnq6F1hiFzF19Q
XJqf+MObfTWcNv2jeIZiu8VF5m+c5ahqHmjLNK3qcV3SeG7kQEkB0hryks+mPrdh
pcITb6TCC00mFtyvQkX8INe2ZV2z6BJzU2906mOeuGbAWaAQKAg7sA==
=xQSX
-----END PGP SIGNATURE-----
No comments:
Post a Comment